Lawful interception (LI) is a method to obtain, by a lawful authority, communication related data of a subscriber in a mobile communications network. Many countries in the world have lawful interception capability requirements making it possible to obtain communication data such as a signaling data, network management information or content related data of a subscriber or of a mobile user entity.
Furthermore, systems have been developed in which a WI-FI or WLAN access network is interacting with a mobile communications network and in this context, a Border Network Gateway, BNG, is used to provide a WLAN offload for a user, which means that a complementary network technology such as WLAN is used for delivering data originally targeted for the mobile communications network. In a non-seamless WLAN offload for a user, the user's payload session is not anchored to the packet core network of the mobile communications network, but offloaded directly from a WI-FI access controller to the Border Network Gateway, BNG.
FIG. 1 shows an example of a non-seamless WLAN offload architecture for an integrated WI-FI solution. A user entity 10, which can be a subscriber of the mobile communications network 20, but which does not need to be a subscriber, also connects to a WI-FI access point 30, which is connected to a WI-FI access control 31 and to a border network gateway 32. A web portal 33 is provided which is used for the access to the WI-FI network. A user may have to input a user name and a password to have access to the WI-FI network. A lawful interception intercept management system (LI-IMS) 40 is provided, which controls lawful interception. A WI-FI Authentication, Authorization and Account (AAA) unit 34 is provided. In the integrated network architecture, the WI-FI AAA 34 is connected to the Home Location Register, HLR, 21 or Home Subscriber Server, HSS, 22. Data packets of a data packet session from a network such as internet 50 is transmitted to the BNG 32.
For users which connect and authenticate to the WI-FI network with a 3GPP identity such as MSISDN (Mobile Station Integrated Service Digital Network Number) or IMSI (International Mobile Subscriber Identity), the LI-IMS 40 uses those identities to send interception requests for a target, a 3GPP identity representing an identity used by the mobile communications network to identify a subscriber. For users which connect and authenticate to the WI-FI network using any Network Access Identifier, NAI, a value based on RFC 4282, e.g. an email ID, the LI-IMS 40 can use the MAC (Media Access Control) address of the user entity, the IP address of the user entity or a user name to send interception requests.
Interception points are the BNG 32 and the WI-FI AAA 34. The WI-FI AAA maps the user's device MAC address and the IP address of the user entity 10 with an identity with which the user accesses the WI-FI network, which is a non-3GPP identity, such as the user name. The non-3GPP identity is an identity which is not used by the mobile communication network to identify a subscriber in the network. The LI-IMS 40 can trigger the lawful interception based on either the user name, such as xxx.yyy@zzz.com, the IP address of the user entity or the MAC address of the user entity.
The LI-IMS 40 looks up a mapped Acct session ID against the target MAC address of the user entity, the IP address of the user entity or the user name and sends a lawful interception request to the RADIUS client, which is the BNG 32. This situation is also shown in further detail in a message exchange flow shown in FIGS. 2a and 2b. 
The different steps shown in FIGS. 2a and 2b are self-explaining and are not all explained in detail. As shown in step 26, the LI-IMS 40 binds the network access identifier such as the user name with the MAC address, the IP address of the user entity and the Acct (Accounting)-Session-ID. When an operator or agent of the LI-IMS 40 wants to execute a lawful interception for a certain user, the email address such as xxx.yyy@zzz.com, the IP address or the MAC address is used to identify the user or user entity for which the lawful interception should be carried out. The LI-IMS 40 then checks the RADIUS client managing the user name, IP address or MAC address, looks up the mapped Acct session IDs and triggers the lawful interception to the client by sending an LI request to the BNG, which then confirms the activation of the lawful interception (steps 29-31). When a system as shown in FIG. 1 is upgraded, i.e. when the mobile communications network is upgraded and provides a packet core network and thus provides a packet core network access, the data packet sessions of users are anchored to the packet core from a Trusted Wireless Access Gateway, TWAG, which replaces the BNG to allow anchoring of the data packet sessions of users to the packet core/PDN GW. The PDN gateway or TWAG are then used as interception point with payload knowledge. In the LI-IMS, a target user has to be identified using a 3GPP identity, meaning an identity that is used in the mobile communications network to identify a subscriber, such as the MSISDN or the IMSI. IMEI (International Mobile Equipment Identity) is also a possible value that can be used by the LI-IMS as a target identifier for packet core lawful interception, but the IMEI value is not shared by the mobile user entity when connecting to the WI-FI network as described in 3GPP TS 23.402. Lawful interception is started as soon as the user's GTP (General Packet Radio Service Tunneling Protocol) session is set up between the TWAG and the PDN gateway for the target user or lawful interception could be started for an active GTP session. In such a situation, the LI-IMS cannot send an LI request to the PDN gateway, as a mobile subscriber identity used in the mobile communications network has to be used. Thus, in this situation a lawful interception is not possible.
Thus, a need exists to provide a possibility for a lawful interception when a mobile user entity uses a packet core network of a mobile communications network and when a data packet session is transmitted to the mobile user entity via a wireless access network such as WI-FI or WLAN network and wherein the user entity is identified by the wireless access network using an identity which is not used by the mobile communications network to identify the user entity.